Access Control https://leocontent.umgc.edu/content/umuc/tgs/cst/cst620/2212/learning-t...

Learning Topic
Access Control

Dover Castle
Dover castle, built by King Henry II, was a way to control physical access.

Author: Jake Keup. Source: Wikimedia Commons. License: CC BY 2.0.

Access control is the process by which permissions are granted for given

1 of 11 4/24/2021, 8:45 PM
Access Control https://leocontent.umgc.edu/content/umuc/tgs/cst/cst620/2212/learning-t...

resources. Access control can be physical (e.g., locked doors accessed

using various control methods) or logical (e.g., electronic keys or
credentials). There are several access control models, to include:

Role‐based access control: Access is granted based on individual

roles.

Mandatory access control: Access is granted by comparing data

sensitivity levels with user sensitivity access permissions.

Attribute‐based access control: Access is granted based on assigned

attributes.

Discretionary access control: Access is granted based on the identity

and/or group membership of the user.

The access control model used is determined based on the needs of the
organization. To determine the best model, a risk assessment should be
performed to determine what threats might be applicable. This
information is then used to assess which model can best protect against
the threats.

2 of 11 4/24/2021, 8:45 PM
Access Control https://leocontent.umgc.edu/content/umuc/tgs/cst/cst620/2212/learning-t...

Resources

Required

Technological Safeguards (https://lti.umgc.edu

/contentadaptor/topics/byid/4fb7de4e‐
64e9‐4084‐83c8‐152930d1d965)

ID Management Issues and Requirements

(https://lti.umgc.edu/contentadaptor/topics/byid/a8963bea‐
7cba‐47b9‐8be1‐ccffc7faecad)

NIST 800‐53v4 (https://lti.umgc.edu/contentadaptor/topics

/byid/ead48b84‐8dbd‐4279‐9093‐1456c7a70e14) (Pages
F‐7 through F‐36)

An Introduction to Role‐Based Access Control

(https://lti.umgc.edu/contentadaptor/topics
/byid/5aefed15‐9929‐458a‐b849‐26a1497b7c66)

Attribute‐Based Access Control (https://lti.umgc.edu

/contentadaptor/topics/byid/ae4cebd4‐4980‐41b0‐9a6b‐
76dade047866)

Database Security & Access Control Models: A Brief

Overview (https://lti.umgc.edu/contentadaptor/topics
/byid/ac02a03d‐a4e6‐4f74‐8dec‐48f61011c459)

Access Control as a Service for the Cloud

(https://lti.umgc.edu/contentadaptor/topics/byid/7fa422b2‐
f0af‐405d‐af24‐5d2963508871)

Security Information in Production and Operations: A Study

on Audit Trails in Database Systems (https://lti.umgc.edu
/contentadaptor/topics/byid/1ef6dbbc‐fba8‐4fbd‐
8ad0‐5178cdc34d5f)

State‐of‐the‐Art Authentication, Access Control, and Secure

3 of 11 4/24/2021, 8:45 PM
Access Control https://leocontent.umgc.edu/content/umuc/tgs/cst/cst620/2212/learning-t...

Integration in Smart Grid (https://lti.umgc.edu

/contentadaptor/topics/byid/9df7318a‐edca‐4067‐
bbde‐7144f57ff592)

RFID Privacy Risk Evaluation Based on Synthetic Method of

Extended Attack Tree and Information Feature Entropy
(https://lti.umgc.edu/contentadaptor/topics/byid/dd96b7d4‐
dae3‐4d2c‐8026‐c1c547dd1cde)

Broken Access Control (https://lti.umgc.edu/contentadaptor

/topics/byid/357e6164‐2ea5‐4a79‐b42e‐cb65ff7aec79)

Web Application Security (https://lti.umgc.edu/contentadaptor

/topics/byid/53483274‐77d9‐47c8‐9899‐c71f56b14d52)

Recommended

Trust‐Based Access Control Model From Sociological

Approach in Dynamic Online Social Network Environment
(https://lti.umgc.edu/contentadaptor/topics/byid/b435114b‐
1415‐43d9‐89a4‐2b9d2e9e46f4)

Dynamic Access Control Model for Security Client Services in

Smart Grid (https://lti.umgc.edu/contentadaptor/topics
/byid/13f6ed4d‐8d36‐444b‐a3e3‐f9b76ced1719)

RFID Security Issues (https://lti.umgc.edu/contentadaptor

/topics/byid/f46e4e18‐85d6‐4e32‐a2a2‐6b8d641404fa)

Assessment of Access Control Systems (https://lti.umgc.edu

/contentadaptor/topics/byid/f9ac97c2‐1d65‐4c8a‐955f‐
ac738a1305ce)

A Survey of Access Control Models (https://lti.umgc.edu

/contentadaptor/topics/byid/4f659aa4‐0815‐4030‐
ae69‐3119e0814543)

Cloud Multidomain Access Control Model Based on Role and

Trust‐Degree (https://lti.umgc.edu/contentadaptor/topics

4 of 11 4/24/2021, 8:45 PM
Access Control https://leocontent.umgc.edu/content/umuc/tgs/cst/cst620/2212/learning-t...

/byid/9af7f492‐ac89‐4c7a‐992f‐b4796cf3196e)

Using Security Labels for Directory Access Control &

Replication Control (https://lti.umgc.edu/contentadaptor
/topics/byid/dd208227‐cb08‐4870‐b88d‐c32e37411458)

OWASP Top 10 for .NET Developers Part 3: Broken

Authentication and Session Management
(https://lti.umgc.edu/contentadaptor/topics
/byid/2bf14b05‐806e‐4eaf‐b394‐f4077306913e)

5 of 11 4/24/2021, 8:45 PM
Access Control https://leocontent.umgc.edu/content/umuc/tgs/cst/cst620/2212/learning-t...

Check Your Knowledge

Choose the best answer to each question:

Question 1
When a user can dynamically (or selectively) assign
privileges for other users of the system, this is called which
of the following access control models?

SoD

MAC

RBAC

DAC

Question 2
When a retail company places access control policies in
place for its cashiers, it has implemented which of the
following types of policies?

role‐based policy

identity‐based policy

mandatory access policy

separation of duties policy

Question 3

6 of 11 4/24/2021, 8:45 PM
Access Control https://leocontent.umgc.edu/content/umuc/tgs/cst/cst620/2212/learning-t...

A sensitivity level attached to an object must contain which

of the following in mandatory access control?

the item's classification

the item's classification and category set

the item's category

the item's need to know

Question 4
When controlling access to an object by a subject, security
professionals must set up access rules. The following are
the three access control models that can be used to set up
these rules.

mandatory, discretionary, nondiscretionary

role‐based, identity‐based, attribute‐based

MAC, DAC, RBAC

none of the above

Question 5
Rule‐based access control (RuBAC) access is determined by
rules that are in which of the following categories?

discretionary access control (DAC)

role‐based access control (RBAC)

7 of 11 4/24/2021, 8:45 PM
Access Control https://leocontent.umgc.edu/content/umuc/tgs/cst/cst620/2212/learning-t...

nondiscretionary access control (NDAC)

identity‐based access control

Question 6
Which of the following is the category with rules that are
not established by user preferences and can only be
changed administratively?

nondiscretionary access control

discretionary access control

mandatory access control

system‐based access control

Question 7
Which of the following is true of the mandatory access
control environment?

The system or security administrator will define the

permissions for subjects.

The administrator does not dictate the user's access.

The administrator configures the proper level of access

as dictated by the data.

all of the above

Question 8

8 of 11 4/24/2021, 8:45 PM
Access Control https://leocontent.umgc.edu/content/umuc/tgs/cst/cst620/2212/learning-t...

Which of the following is defined as the dominance

relationship of the MAC system?

The security clearance of the subject is reviewed and

compared with the object sensitivity level or
classification level.

The security clearance of the subject is not important

because the system provides authorization.

The security clearance of the subject is compared with

the separation of duties policy, and access is provided.

The security clearance of the subject has to be at the

highest level of top secret.

Question 9
Which of the following is not an access control technique?

remote access controls

discretionary access control

mandatory access control

role‐based access control

Question 10
In some access control models, the data owner or resource
owner can specify access to resources based on identity.
Which of the following access control models does this
describe?

9 of 11 4/24/2021, 8:45 PM
Access Control https://leocontent.umgc.edu/content/umuc/tgs/cst/cst620/2212/learning-t...

discretionary access control

mandatory access control

identity‐based access control

rule‐based access control

Question 11
As the name implies, which of the following access control
models is an example of DAC based on the characteristic of
the user?

role‐based access control

rule‐based access control

identity‐based access control

mandatory access control

Licenses and Attributions

Chapter Twelve: Western Europe and Byzantium circa 1000‐1500 CE
(https://open.umn.edu/opentextbooks/textbooks/world‐history‐
cultures‐states‐and‐societies‐to‐1500) from World History: Cultures,
States, and Societies to 1500 by Berger et al. is available under a
Creative Commons Attribution‐ShareAlike 4.0 International
(https://creativecommons.org/licenses/by‐sa/4.0/) license. UMUC has
modified this work and it is available under the original license.

10 of 11 4/24/2021, 8:45 PM
Access Control https://leocontent.umgc.edu/content/umuc/tgs/cst/cst620/2212/learning-t...

© 2021 University of Maryland Global Campus

All links to external sites were verified at the time of publication. UMGC is not responsible for the
validity or integrity of information located at external sites.

11 of 11 4/24/2021, 8:45 PM